Re: 802.1x problems

[Keith Ledford]

On Thursday, January 15, 2009 at 20:36:00, t...@kalik.net wrote:
> Where is his password supposed to be? Ldap auth can't work with mschap,
> so you need to send the password to freeradius. You need to enable ldap
> instances in inner-tunnel virtual server (that will be doing mschap
> auth).

The passwords are in the ldap server (Novell). I don't understand what
you mean by 

"so you need to send the password to freeradius"

Can you either explain or point me to the proper doc? If ldap auth
can't work with mschap what does everyone do to work with standard
windows clients?

I did enable ldap in the inner-tunnel config file. I did miss that
before. Thanks!



-- 
Keith Ledford 
Network Administrator
EITS Network Engineering
706.542.0723 phone
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

802.1x problems

[Keith Ledford]

996e431f9a977ba5a70d750315fe66e5f61e48aad8aad8d19f5b65eb8a006b6c6564666f7264
server (null) {
  PEAP: Setting User-Name to kledford
Sending tunneled request
EAP-Message = 
0x021200431a0212003e31910199f838846ecebfb8b1996e431f9a977ba5a70d750315fe66e5f61e48aad8aad8d19f5b65eb8a006b6c6564666f7264
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "kledford"
State = 0x577c69d6576e7321a99fdce2c06ba398
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 18 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for kledford with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\022E=691 R=1"
EAP-Message = 0x04120004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\022E=691 R=1"
EAP-Message = 0x04120004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 198 to 172.17.6.205 port 32770
EAP-Message = 
0x011300261900170301001b7d7ecb9363773c2925be6270b36c1cc64746512b567f6487e27a4e
Message-Authenticator = 0x
State = 0x0282fb8e0591e22c7ff0f6bedc08a825
Finished request 77.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=199, 
length=224
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 
0x021300261900170301001b989cf4d191ed8635a159d484e8b3ddcea284fc0177b8ed705dd9d8
State = 0x0282fb8e0591e22c7ff0f6bedc08a825
Message-Authenticator = 0xf942e38c5ad48d5f0723d8062283dcb2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 19 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> kledford
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 78 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 78
Sending Access-Reject of id 199 to 172.17.6.205 port 32770
EAP-Message = 0x04130004
Message-Authenticator = 0x
Waking up in 3.5 seconds.
Cleaning up request 70 ID 191 with timestamp +511079
Cleaning up request 71 ID 192 with timestamp +511080
Waking up in 0.1 seconds.
Cleaning up request 72 ID 193 with timestamp +511080
Cleaning up request 73 ID 194 with timestamp +511080
Cleaning up request 74 ID 195 with timestamp +511080
Waking up in 0.1 seconds.
Cleaning up request 75 ID 196 with timestamp +511080
Cleaning up request 76 ID 197 with timestamp +511080
Cleaning up request 77 ID 198 with timestamp +511080
Waking up in 1.0 seconds.
Cleaning up request 78 ID 199 with timestamp +511080

-- 
Keith Ledford 
Network Administrator
EITS Network Engineering
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html